Cyber Posture

CVE-2025-57156

HighPublic PoC

Published: 20 January 2026

Published
20 January 2026
Modified
13 February 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0024 47.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-57156 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Owntone Owntone Server. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 47.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004).
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

NULL pointer dereference enables remote unauthenticated exploitation to crash the server process, directly matching application exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

NULL pointer dereference in the dacp_reply_playqueueedit_clear function in src/httpd_dacp.c in owntone-server through commit 6d604a1 (newer commit after version 28.12) allows remote attackers to cause a Denial of Service (crash).

Deeper analysisAI

CVE-2025-57156 is a NULL pointer dereference vulnerability in the dacp_reply_playqueueedit_clear function within src/httpd_dacp.c of owntone-server, affecting the software through commit 6d604a1, a newer commit after version 28.12. Published on 2026-01-20, this issue falls under CWE-476 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its high-impact potential on availability without compromising confidentiality or integrity.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required, triggering the NULL pointer dereference to crash the owntone-server process and cause a denial of service.

Mitigation is addressed in commit 5e4d40ee03ae22ab79534bb1410fa9db96c9fabd on the owntone-server GitHub repository. Further details on the vulnerability and remediation are provided in the Archer Security advisory at https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2025.md and GitHub issue #1907 at https://github.com/owntone/owntone-server/issues/1907.

Details

CWE(s)
CWE-476

Affected Products

owntone
owntone server
≤ 28.12

CVEs Like This One

CVE-2025-63648Same product: Owntone Owntone Server
CVE-2025-63647Same product: Owntone Owntone Server
CVE-2025-57155Same product: Owntone Owntone Server
CVE-2026-4652Shared CWE-476
CVE-2026-33282Shared CWE-476
CVE-2025-0430Shared CWE-476
CVE-2026-31256Shared CWE-476
CVE-2025-69649Shared CWE-476
CVE-2026-27141Shared CWE-476
CVE-2026-25795Shared CWE-476

References